JavaScript源代码加密对于混淆有用吗? [英] Is JavaScript source encryption useful for obfuscation?
问题描述
我正在考虑的一种方式就是这样的一种
- 尽可能地压缩/混淆JavaScript
- 将JavaScript加密到一个sctring中,并用一个小的解密JavaScript来包装所有的东西,它将评估解密的字符串(解密的关键使用AJAX从同一网站上的其他页面检索)
这是我的动力:
- 人们都应该使用相同版本的游戏,而不是琐碎的欺骗
- 源代码包含可能很容易的黑客对于像我这样的JavaScript开发人员来说,可能会将代码复制粘贴并滥用垃圾邮件。 li>
- 知情的垃圾邮件发送者可以发现任何数量的脚本已经可以免费上网了,我只是不想让它从我的脚本中免费
- 我想任何人能够运行应用程序没有任何隐藏的秘密知道(这将使脚本公开可用无意义,因为那时我只是分享我信任的游戏,使脚本本身是秘密)
不要误会我,我知道绝对没有办法确保JavaScript的源代码不会对知情/智能用户可用,我我只是投票看看这是否是徒劳无功的,我甚至不应该考虑额外的加密步骤,或者如果有人相信这种技术有一些优点。
我倾向于相信它可能会阻止休闲用户,我只是不知道如何破坏它需要多少知识,如果偶然的社交网络用户可能会破坏它。
另外,我怀疑firebug,开发人员工具,网络检查员只会显示评估的代码,但我不知道。如果是这样,那么根本不会做任何事情来保护它。网站上的大多数用户使用Chrome(从我听到的,因为它在该浏览器上效果最佳)。那么Chrome会在网络检查器中轻松显示?
您所描述的缩小和混淆和加密都是次要障碍在人们用你的代码弄脏的方式。每个小障碍都会阻止少数黑客入侵。但是,没有一个会阻止确定的黑客。
所有这些都要做的是绕过加密,在调试器中设置一个断点,并在之后捕获代码它被发送到eval之前被解密,然后复制/粘贴出调试器。所以,它几乎甚至不会放慢确定的黑客。事实上,缩小(用无意义的短名称代替所有有意义的变量名称,实际上为黑客了解代码创造了更多的工作)。
个人而言,我会避免加密因为它并没有增加太多,而确定的黑客真的很容易找到。
I am thinking about creating mini-games in JavaScript that a public social website (yourworldoftext.com) and I had a thought, I am a user of the site and would be embedding my JavaScript in a link's href that others can click on to start the game.
One way I was thinking about would be something like this
- Compress/obfuscate the JavaScript as much as possible
- Encrypt the JavaScript into a sctring and wrap everything with a small decryption JavaScript that will evaluate the decrypted string (the key to decrypt would be retrieved using AJAX from some other page on the same site)
Here is my motivation:
- people should all be using the same version of the game and its not trivial to cheat
- The source code contains hacks that might be easy for a JavaScript developer like me to write, but potentially the code could be copy pasted and misused to spam the site
- The informed spammer could find any number of scripts already available for free online, I just don't want it to be free from my scripts
- I want anyone to be able to run the app without any hidden secret to know (which would make having the script publicly available meaningless because then I'd just share the game those I trusted making the script itself the secret)
Don't misunderstand me, I know there is absolutely no way to ensure that the source code behind the JavaScript would not be available to the informed/intelligent user, I am merely polling to see if this is an exercise in futility and I shouldn't even bother with the extra encryption step, or if any believe that there is some merit to this technique.
I am inclined to believe that it might thwart the casual user, I'm just not sure how much knowledge would be required to break it, if maybe the casual social network user could break it.
Also, I suspect that firebug, developer tools, web inspector will just show the evaluated code anyway, but I'm not sure. If so then it wouldn't really do anything at all to protect it. Most users on the site use chrome (from what I hear because it works best on that browser). So would chrome show it easily in the web inspector?
Minification and obfuscation and encryption as you've described are all minor obstacles in the way of people mucking with your code. Each minor obstacle will discourage a small number of would-be hackers. But, none of the three will discourage the determined hacker.
All one has to do to get around the encryption is set a breakpoint in the debugger and capture the code right after it's been decrypted before it's sent to eval and then copy/paste out of the debugger. So, it barely even slows down the determined hacker. In fact, minification (replacing all meaningful variable names with meaningless short names actually creates more work for the hacker in understandong your code).
Personally, I'd avoid the encryption as it doesn't really add much and it's real easy for the determined hacker to get around.
这篇关于JavaScript源代码加密对于混淆有用吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
